CVE-2025-38261

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38261
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38261.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38261
Downstream
Published
2025-07-09T10:42:36Z
Modified
2025-10-18T03:12:06.418591Z
Summary
riscv: save the SR_SUM status over switches
Details

In the Linux kernel, the following vulnerability has been resolved:

riscv: save the SR_SUM status over switches

When threads/tasks are switched we need to ensure the old execution's SRSUM state is saved and the new thread has the old SRSUM state restored.

The issue was seen under heavy load especially with the syz-stress tool running, with crashes as follows in schedule_tail:

Unable to handle kernel access to user memory without uaccess routines at virtual address 000000002749f0d0 Oops [#1] Modules linked in: CPU: 1 PID: 4875 Comm: syz-executor.0 Not tainted 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0 Hardware name: riscv-virtio,qemu (DT) epc : scheduletail+0x72/0xb2 kernel/sched/core.c:4264 ra : taskpidvnr include/linux/sched.h:1421 [inline] ra : scheduletail+0x70/0xb2 kernel/sched/core.c:4264 epc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp : ffffffe025d17ec0 gp : ffffffe005d25378 tp : ffffffe00f0d0000 t0 : 0000000000000000 t1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe025d17ee0 s1 : 000000002749f0d0 a0 : 000000000000002a a1 : 0000000000000003 a2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4 : 5ae9db91c19bbe00 a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba s2 : 0000000000040000 s3 : ffffffe00eef96c0 s4 : ffffffe022c77fe0 s5 : 0000000000004000 s6 : ffffffe067d74e00 s7 : ffffffe067d74850 s8 : ffffffe067d73e18 s9 : ffffffe067d74e00 s10: ffffffe00eef96e8 s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2 t5 : ffffffc4043cafba t6 : 0000000000040000 status: 0000000000000120 badaddr: 000000002749f0d0 cause: 000000000000000f Call Trace: [<ffffffe00008c8b0>] scheduletail+0x72/0xb2 kernel/sched/core.c:4264 [<ffffffe000005570>] retfrom_exception+0x0/0x14 Dumping ftrace buffer: (ftrace buffer empty) ---[ end trace b5f8f9231dc87dda ]---

The issue comes from the putuser() in scheduletail (kernel/sched/core.c) doing the following:

asmlinkage _visible void scheduletail(struct taskstruct *prev) { ... if (current->setchildtid) putuser(taskpidvnr(current), current->setchildtid); ... }

the put_user() macro causes the code sequence to come out as follows:

1: _enableuseraccess() 2: reg = taskpidvnr(current); 3: *current->setchildtid = reg; 4: _disableuseraccess()

The problem is that we may have a sleeping function as argument which could clear SRSUM causing the panic above. This was fixed by evaluating the argument of the putuser() macro outside the user-enabled section in commit 285a76bb2cf5 ("riscv: evaluate put_user() arg before enabling user access")"

In order for riscv to take advantage of unsafeget/putXXX() macros and to avoid the same issue we had with putuser() and sleeping functions we must ensure code flow can go through switchto() from within a region of code with SRSUM enabled and come back with SRSUM still enabled. This patch addresses the problem allowing future work to enable full use of unsafeget/putXXX() macros without needing to take a CSR bit flip cost on every access. Make switchto() save and restore SRSUM.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
76d2a0493a17d4c8ecc781366850c3c4f8e1a446
Fixed
69ea599a8dab93a620c92c255be4239a06290a77
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
76d2a0493a17d4c8ecc781366850c3c4f8e1a446
Fixed
788aa64c01f1262310b4c1fb827a36df170d86ea

Affected versions

v4.*

v4.14
v4.14-rc3
v4.14-rc4
v4.14-rc5
v4.14-rc6
v4.14-rc7
v4.14-rc8
v4.15
v4.15-rc1
v4.15-rc2
v4.15-rc3
v4.15-rc4
v4.15-rc5
v4.15-rc6
v4.15-rc7
v4.15-rc8
v4.15-rc9
v4.16
v4.16-rc1
v4.16-rc2
v4.16-rc3
v4.16-rc4
v4.16-rc5
v4.16-rc6
v4.16-rc7
v4.17
v4.17-rc1
v4.17-rc2
v4.17-rc3
v4.17-rc4
v4.17-rc5
v4.17-rc6
v4.17-rc7
v4.18
v4.18-rc1
v4.18-rc2
v4.18-rc3
v4.18-rc4
v4.18-rc5
v4.18-rc6
v4.18-rc7
v4.18-rc8
v4.19
v4.19-rc1
v4.19-rc2
v4.19-rc3
v4.19-rc4
v4.19-rc5
v4.19-rc6
v4.19-rc7
v4.19-rc8
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7

v5.*

v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.1
v5.1-rc1
v5.1-rc2
v5.1-rc3
v5.1-rc4
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.2
v6.15.3
v6.15.4
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "id": "CVE-2025-38261-39ba3f1b",
        "target": {
            "file": "arch/riscv/kernel/asm-offsets.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@788aa64c01f1262310b4c1fb827a36df170d86ea",
        "digest": {
            "line_hashes": [
                "4563503644417009285250805390846861500",
                "146817199689139047876117243549430165842",
                "18938990285387820959988557419630042302",
                "155819772622544591261087016482498546451",
                "201116361183204716311392836108689394784",
                "279703790703891319833813459528732500238",
                "24855748594222569451420122395902333460",
                "178069799395918804226428123604239842455"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_type": "Function",
        "id": "CVE-2025-38261-575c30ba",
        "target": {
            "function": "asm_offsets",
            "file": "arch/riscv/kernel/asm-offsets.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@69ea599a8dab93a620c92c255be4239a06290a77",
        "digest": {
            "function_hash": "112223964902656179592087566461884696447",
            "length": 24173.0
        }
    },
    {
        "signature_type": "Line",
        "id": "CVE-2025-38261-8fff0eb4",
        "target": {
            "file": "arch/riscv/include/asm/processor.h"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@69ea599a8dab93a620c92c255be4239a06290a77",
        "digest": {
            "line_hashes": [
                "287721164602847107315156780962822499581",
                "224679614141330580339366205740645423379",
                "55786067975211343854150757578884209564",
                "71768406593285264462374093211540444996"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_type": "Function",
        "id": "CVE-2025-38261-a1664006",
        "target": {
            "function": "asm_offsets",
            "file": "arch/riscv/kernel/asm-offsets.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@788aa64c01f1262310b4c1fb827a36df170d86ea",
        "digest": {
            "function_hash": "112223964902656179592087566461884696447",
            "length": 24173.0
        }
    },
    {
        "signature_type": "Line",
        "id": "CVE-2025-38261-ba8226fe",
        "target": {
            "file": "arch/riscv/include/asm/processor.h"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@788aa64c01f1262310b4c1fb827a36df170d86ea",
        "digest": {
            "line_hashes": [
                "287721164602847107315156780962822499581",
                "224679614141330580339366205740645423379",
                "55786067975211343854150757578884209564",
                "71768406593285264462374093211540444996"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_type": "Line",
        "id": "CVE-2025-38261-dddaaea9",
        "target": {
            "file": "arch/riscv/kernel/asm-offsets.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@69ea599a8dab93a620c92c255be4239a06290a77",
        "digest": {
            "line_hashes": [
                "4563503644417009285250805390846861500",
                "146817199689139047876117243549430165842",
                "18938990285387820959988557419630042302",
                "155819772622544591261087016482498546451",
                "201116361183204716311392836108689394784",
                "279703790703891319833813459528732500238",
                "24855748594222569451420122395902333460",
                "178069799395918804226428123604239842455"
            ],
            "threshold": 0.9
        }
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.15.0
Fixed
6.15.5